It is 74550 bytes, encrypted with RC4 streaming cypher with the key "dfdedkwe3322oeitodkdjeio3e9ekdjwasddcncmvjdasalwpeoryg7534hvn5wewse" and packed with Zlib. The file is a DLL (PE DLL-file), also packed with UPX.

MD5: 7e0760dcc466b4810a6ccc2767f00cc9

SHA1: 7cbf0c9540729b936f8141a684fc52c803ca0552

A fragment of memory dump with displaying the key

The malicious DLL before and after decrypting

To automatically run "%Program Files%\Windows NT\svchost.exe" each time Windows is booted, the following registry key is added:

Once launched it modifies code page to 1251 (Cyrillic) and deletes extracted file "%Temp%\msmx21.exe" and itself.

With the help of "%Program Files%\Windows NT\svchost.exe " attackers check the Internet connection by sending requests to the following websites:

www.microsoft.comupdate.microsoft.com

If direct connection has not been established the malware retrieves proxy settings from Internet Explorer/Opera/Firefox and tries to connect again.

Once a connection is established, a DLL is decrypted from the file "%Program Files%\Windows NT\wsdktr.ltp". It is then injected into "%Program Files%\Windows NT\svchost.exe " address space. This DLL is a backdoor used to provide a remote connection to the infected computer.